Posts Tagged ‘chattr’

2011w35

Sunday, September 4th, 2011

I guess the first big thing to happen this week, which I’d be remiss if I didn’t mention it, is that I got a job :D

passtore

This Tuesday I also awoke with the idea that I really should, somehow make it easy for a user to sign the configuration file of passtore. And of course to check said signature as well.

What I want to achieve with that is to engineer out the flaw in security which would appear if an aggressor got hands on the system and added his/her own key id to the list of recipients in the configuration file.

I’ll have to think about that some more.

chattr +i

I don’t particularly like flash. Sadly a great big chunk of the Internet becomes useless without it, and although I should take a firmer stand against flash I have the flashplugin for Firefox installed. One of the really nasty things about flash is those persistent super-cookies which can be set, and quite frankly, Firefox has become a bit heavy lately, so I have been looking around for ways to cut back on add-ons.

I am currently trying out Privoxy as a standalone ad-blocker, and today I got the idea of trying to replace the “Better Privacy” add-on with some file-system hacking instead. In short “Better Privacy” works by trying to detect when a flash super-cookie has been set, and remove it.

This cookie is stored in a file, locally on the file-system. So I did a little thinking. In my home directory there are two hidden directories: .adobe and .macromedia, both containing a directory named Flash_player. Inside one of those (I guess it depends on the version of flashplayer which directory is the relevant one) flash stores these cookies.

So my first idea was simply to delete those two directories. Which of course is silly. The relevant one will just be recreated, at the latest upon the next Firefox restart. So that wouldn’t work.

I could of course instruct fsniper or incron to watch those two directories and have them pounce any newly created content within with an rm -rf command, and although that would work, I don’t particularly like scripted events which includes an rm command. Also I’d have to divert some system resources to that (yes, there are plenty of resources to go around, that’s beside the point) activity, and that wasn’t to my liking either.

Finally it dawned on me. If I removed the directories, they would just respawn, so I’d need to keep them there as placeholders, and make them non-writeable, and really immutable. That way, any time flash would try to get cute, it would hit a brick wall.

So what I ended up doing was:

  1. Purge any and all contents inside .adobe/ and .macromedia/
  2. chmod 0500 ./{.adobe,.macromedia}
  3. sudo chattr +i ./{.adobe,.macromedia}

So now the owner (me) can only read/list the contents of the directories (not modify them) and with chattr +i they are immutable, requiring root privileges to change those permissions.

Your move flash…

Links

Schneier on Security: The Efficacy of Post-9/11 Counterterrorism

MITnews: Killing a cancer cell from the inside out — although I’d worry about mutation, or weaponisation…